How to buy MacBook for $1, or hacking SAP POS

SAP POS Xpress Server does not perform any authentication checks for critical functionality that
requires user identity. As a result, administrative and other privileged functions can be accessed
without any authentication procedure thus allowing anyone who gets into the network to change prices or
set discounts. The vulnerabilities were identified by ERPScan researchers and reported to the vendor
back in April 2017.

It’s no secret that POS systems are plagued by vulnerabilities and numerous incidents occurred because of
their security drawbacks came under the spotlight.
Unlike the majority of such malware designed to steal customers’ data, this one provides cyber attackers
with an unfettered control over the whole POS system. Multiple missing authorization checks on the
server side of SAP POS allowed a hacker to use a legitimate software functionality (which must have
restricted access), meaning that malicious actions are difficult to detect.

“The major part of other POS malware is a one-trick pony as it allows
nothing but compromise data. Of course, it’s a costly risk, but the vulnerabilities we found go much
further. Stealing credit card number, setting up prices and special discounts, remote starting and
stopping a POS terminal – all of these options are on the hacker’s menu.”
commented Alexander Polyakov, CTO at ERPScan.

What is SAP POS?

SAP POS is a part of the SAP for Retail solution portfolio, which serves 80% of the retailers in the
Forbes Global 2000. As the name implies, SAP POS is a client-server point-of-sale solution developed by
the German-based vendor.

In general, SAP POS consists of the following elements:

Client applications installed on POS terminal located in a shop; this
part is
used to process transactions;

Store Server components in the store’s back office providing
connective,
operative and administrative functions. Among them, there is the POS Xpress server, a
store-level server application.

Applications running in the head office to enable central management.

Attack scenario

To exploit the missing authorization checks in SAP POS Xpress server, one needs an access to the
network where SAP POS is located. This network can be exposed to the Internet, thus the attack can
be conducted remotely. If not, it is still possible to obtain access, for example, by connecting
Raspberry Pi to electronic scales inside a shop.
It means to access the network of a retail giant you need
a tool, which costs only $25.

Once you are in, you have unlimited control over the backend and frontend of the POS system, as the tool
can upload a malicious configuration file on the SAP POS Xpress Server without any authentication
procedure.
New parameters are limited by hackers’ imagination: they can set special price or discount, the
time the discount is valid, the conditions under which it works – for example, when purchasing a
specific product.
In our case, we set up an incredible discount to a MacBook.

The Xpress Server receives new settings. To apply them, the hacker sends certain commands to the
Xpress server so that it restarts a POS terminal. The latter, in its turn, downloads attacker’s
configurations and applies them.

Now little remains to be done – the attacker needs just to come and buy the incredibly cheap
MacBook.

How to protect

We encourage organizations to implement the appropriate patches (SAP Security Note 2476601 and SAP
Security Note 2520064) as soon as possible to protect their business-critical assets.

FAQ

I’m a big retailer. How can I check if our POS system is exposed to the attack?

If you use POS solution from SAP you are vulnerable unless you install the latest patches released on
Monday, 21st of August.

Are other POS solutions vulnerable to the same bug?

We haven’t tested other solutions yet. In general, vulnerabilities of this type can be discovered in
other solutions as well.

A cashier would notice that something is wrong when you’ll try to buy a MacBook for $1.

Of course, the price of $1 is an exaggeration. In the event one is purchasing multiple items, a cashier
may overlook that some of them are priced lower. However, to be perfectly safe, an attacker would never
be that bold, a discount of 10-20% would go unnoticed.

Are attacker’s actions limited to the described scenario?

The missing authorization checks allow an attacker to perform every administrative function the service
provides. For example, it’s possible to disclose credit card data by changing mask and printing their
numbers on receipts (prohibited by PCI Data Security Standard) or sending this information to the hacker’s
server. Another vector is to turn the POS systems off remotely, which will bring significant losses for a
victim merchant.